Privacy policy

GENERAL

FeBi attaches great importance to respecting your privacy.
We take the necessary measures to protect your personal data and its processing.
Below you will find more information.

If you have any questions, please contact us at: gdpr@fe-bi.org 

PRINCIPLES

Lawful processing
The processing of personal data is only permitted if:

  • The individual has given consent;
  • The processing is necessary for the performance of a contract;
  • The processing is required by law, decree, or ordinance;
  • The processing is necessary to protect a vital interest;
  • The processing is necessary for the performance of a task carried out in the public interest;
  • The processing is necessary to safeguard a legitimate interest of the controller.

Fair and transparent processing, collection for specific purposes
Anyone collecting personal data must clearly state the purpose. Data collected for one purpose cannot be used for another. Personal data must not be collected without the knowledge of the individuals concerned, who must be informed of how their data will be used.

Adequate and relevant data
The purpose of collection must be clearly specified, and the requested data must be directly linked to that purpose.
For example: collecting email addresses for sending a newsletter is relevant, but collecting date of birth or marital status is not.

Sensitive data
As a rule, it is not permitted to collect certain sensitive data, such as information about race, political opinions, philosophical or religious beliefs, trade union membership, health, sexual life, suspicions, prosecutions, or criminal convictions.
Exceptions may apply if explicit consent is given or in the context of healthcare or scientific research.

Accurate and up-to-date data
The controller must ensure that data is accurate and updated when necessary. Incorrect or incomplete data must be corrected or deleted. The controller must ensure that data is accurate and updated when necessary. Incorrect or incomplete data must be corrected or deleted.

Data retention period
Personal data may only be stored for as long as necessary to achieve the intended purpose. Afterward, data must be deleted or anonymized.

Security & confidentiality
The controller must ensure that only authorized persons have access to the data required for their duties. Data must also be protected against undue curiosity (internal or external) and unauthorized manipulation.
 

OBLIGATIONS FOR NON-PROFIT ORGANIZATIONS:

Data controller and register
In principle, the law requires notification of data processing. However, some cases are exempt:

  • Processing by a company for HR management;
  • Processing by a foundation or non-profit regarding members, donors, and regular contacts;
  • Processing by schools or educational institutions regarding students.

Despite this exemption, the non-profit must appoint a data controller. This controller must provide, upon request, a register containing:

  • The name of the processing activity;
  • The purpose(s) of the processing;
  • Categories of personal data processed;
  • Relevant legal or regulatory provisions;
  • Recipients to whom data may be disclosed;
  • Safeguards for disclosure to third parties;
  • How individuals are informed about the use of their data;
  • Contact details of the data controller;
  • Categories of data transferred abroad, destination country, and purpose of transfer;
  • Duration of data retention;
  • Organizational and technical security measures.

Technical and organizational measures – Data protection policy
Two types of measures must be taken:

  • Organizational (restricting access to data, use of passwords, secure premises, etc.);
  • Technical (anonymization, encryption, etc.).

Obligation to report data breaches
In the event of a data breach or leak, the controller must notify the relevant supervisory authority within 72 hours, and also the individuals concerned.
Notification is not required if the breach poses no risk to the rights and freedoms of individuals.
 

EXCEPTIONS

The law does not apply in the context of purely personal or household activities, such as keeping a private address book or personal electronic calendar.

For journalistic or artistic purposes, partial application of the law is foreseen (balancing privacy protection with freedom of expression).
Exceptions also apply for processing data in the context of public security.

DEFINITIONS

  • Personal data: any information relating to an identified or identifiable natural person (e.g. name, photo, phone number, fingerprint, bank account number, etc.). Data relating to professional or public life also qualifies as personal data.
  • Processing: any operation performed on data in an automated or partly automated way (e.g. consultation, use, modification, communication). For non-automated processing, the law applies if the data is part of a structured manual file (e.g. alphabetical order).
  • Data controller: any natural or legal person determining the purposes and means of processing personal data, including de facto associations and public authorities.
  • Supervisory authority: in Belgium, this is the Data Protection Authority (formerly the Commission for the Protection of Privacy).
  • Right to information: as soon as personal data is collected, individuals must be informed about its intended use.
  • Right to request information: anyone may ask a controller whether data about them is held. If so, the controller must clarify the purpose, the data categories, and the recipients.
  • Right of access: individuals are entitled to receive a copy of their personal data and information on its origin, upon proof of identity.
  • Right to rectification: individuals can have incorrect data corrected, and incomplete, irrelevant, or unlawful data deleted or restricted.
  • Right to object: individuals may object to the processing of their personal data for serious and legitimate reasons. In the case of direct marketing, objection can be made freely and without justification.
  • Right not to be subject to automated decision-making: individuals cannot be subject to decisions with significant effects based solely on automated processing, unless based on a contract or legal requirement.

SPECIFIC TO NON-PROFIT INSTITUTIONS

  • Appointment of a data controller: every organization must designate a responsible person for data processing.
  • Creation of a data register: for each specific processing activity, the controller must maintain a register.
  • Compliance with additional obligations: organizations must ensure that technical and organizational measures are in place to secure personal data and comply with the obligation to report any breaches or data loss.

 

GDPR STATEMENT OF NECESSARY ADJUSTMENTS

Lees de verklaring op erewoord.
 

CONTACT

For any further questions, please contact us by email: gdpr@fe-bi.org

Or by post:
FeBi vzw
Sainctelettesquare 13-15
1000 Brussels